Friday, February 3, 2012

Malware Analysis Tutorial 15: Injecting Thread into a Running Process

Learning Goals:
  1. Understand process/thread privileges
  2. Understand intercommunication and object duplication among processes
  3. Practice analyzing function call parameters and stack
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction
In this tutorial, we show you another intriguing behavior of Max++: it removes the Max++Loader.exe from disk once it finishes its infection operations, such as modification of registry and infection of driver DLL files. The removal operation is accomplished using a series of interesting techniques: changing of process privileges, adding threads to another running process, hooking up timer events, and return oriented programming (more exactly return to libc attacks).

We will analyze the code from 0x3C1193  in this tutorial.

The key to analyzing such malicious activities is to examine the system calls placed by Max++. We have introduced the techniques and skills you need for such analysis in Tutorial 14.

2. Lab Configuration
(0) Start WinXP image in DEBUGGED mode. Now in your host system, start a windows command window and CD to "c:\Program Files\Debugging Tools for Windows (x86)" (where WinDBG is installed). Type "windbg -b -k com:pipe,port=\\.\pipe\com_12" (check the com port number in your VBox instance set up). When WinDbg initiates, types "g" (go) twice to let it continue.

(1) Now launch IMM in the WinXP instance, clear all breakpoints and hardware breakpoints in IMM (see View->Breakpoints and View->Hardware Breakpoints).

(2) Go to 0x4012DC and set a hardware breakpoint there. (why not software bp? Because that region will be self-extracted and overwritten and the software BP will be lost). Pay special attention that once you go to 0x4012DC, directly right click on the line to set hardware BP (currently it's gibberish code).

(3) PressF9 several times run to 0x4012DC. You will encounter several breakpoints before 0x4012DC. If you pay attention, they are actually caused by the int 2d tricks (explained in Tutorial 3 and 4, and 5). Simply ignore them and continue (using F9) until you hit 0x4012DC.

Figure 1 shows the code that should be able to see. As you can see, this is right before the call of RtlAddVectoredException, where hardware BP is set to break the LdrLoadDll call (see Tutorial 11 for details). At this point, the code at 0x3C24FB has not been extracted. If you go to 0x3C24FB at this moment, IMM will complain that this address is not accessible.
Figure 1: code at 0x4012DC
(4) Now scroll down about 2 pages and set a SOFTWARE BREAKPOINT at 0x401417. This is right after the call of LdrLoadDll("lz32.dll"), where Max++ finishes the loading of lz32.dll. Then hit SHIFT+F9 several times until you reach 0x401417 (you will hit 0x7C90D500 twice, this is somwhere inside ntdll.zwMapViewSection which is being called by LdrLoadDll).

Figure 2: code at 0x401407

(6) Now we will set a breakpoint at 0x3C1193.  Goto 0x3C1193and set a SOFTWARE BREAKPOINT there. Press SHIFT+F9 to run to 0x3C1193. (You may see a warning that this is out range of the code segment, simply ignore the warning).

(Figure 3 shows the code that you should be able to see at 0x3C1193. The first instruction should be PUSH EBP, and then MOV EBP, ESP, and then SUB EBP, 384.).

Figure 3: Function 0x3C1193
3. Brief Analysis of Function 0x3C1193
We now briefly describe the functionality of 0x3C1193 and we leave most analysis details to you in Section 4 (challenges).

The first part of the code is shown in Figure 3. Max++ first calls a function getModuleHandleW of itself, and then it calls LdrFindEntryForAddress (its own module). Then there is a big loop from 0x3C11F1 to 0x3c1224, which follows the module list and examine the information of processes. This is done using zwQueryProcessInformation (there is an internal loop which adjusts the buffer size if the size is not enough). After several iterations, Max++ identifies a process which satisfies some criteria on parent process and children threads. In our case, the process identified is smss.exe. Then it opens a thread (think about which thread it is), and assign a bunch of privileges to the thread (See Figure 4).

Figure 4. Adding Privileges to Thread
Figure 5 shows the next section of the code. This part is quite interesting. Now look at the function call at 0x003C12DA. The DosPathNameToNtPathName call converts string "c:\.. ..\Max++downloader.exe" to the format of NtPath (look at the stack top for the string). Then it opens the file at 0x0003C1331, and then duplicates the file object at 0x003C1355. Notice where is the duplicate object to be created! It's to be placed in the "smss.exe" process (which is not the Max++ process)!

Figure 5. Duplicate File Object
The last part of the code is very tricky, and we'll leave the discussion of the return oriented technique to the next tutorial. Here, we'll only give some general idea. Figure 6 shows the last part of the code. At 0x003C1393, Max++ calls RtlCreateUserThread to create a new thread (question: who's the owner? Max++ or smss.exe?). Then it sets up the context of the newly created thread. From 0x003C13CF to 0x3C14FF, Max++ spent quite some efforts in setting up the contents of a piece of memory and then it copies this piece to a special region in the target process (smss.exe). Then it calls zwSetContextThread (at 0x003C1481) to set up the EIP register of the new thread. NOTE that here we have not specified the function body for the new thread! How does the new thread accomplish the job? We'll elaborate a very interesting technique called return oriented programming in the next tutorial.
Figure 6. Create a New Thread in smss.exe Process

4. Challenges
[Hint: for system functions started with "zw", the "nt" series documentation can be often found. For example, "zwDuplicateObject" has a corresponding "ntDuplicateObject"]

Challenge 1. Analyze the semantics of all function parameters and the return of getModuleHandleW call at 0x3C11A6 (see Figure 3)

Challenge 2. Analyze the semantics of all function parameters and the return of LdrFindEntryForAddress call at 0x3C11AD (see Figure 3)

Challenge 3. Analyze the semantics of all function parameters and the return of zwQuerySystemInformation call at 0x3C11F3 (see Figure 3)

Challenge 4 Summarize the function of the loop starting from 0x3C1209 to 0x3C123F which searches for a a process to inject a thread. There are some properties such a host process must satisfy. Read the code and describe these desired properties (on parent process and children threads).

Challenge 5 In Figure 4, Max++ is adding a collection of privileges to a thread? Which thread it is (which process does this thread belong to)? Try to figure it out and prove that your argument is correct.

Challenge 6 In Figure 4, Max++ is adding a collection of privileges to a thread? Analyze RtlAdjustPrivilege calls at 0x003C1297, 0x003C12A3, 0x003C12AF, 0x003C12BB, etc. List the privileges added.

Challenge 7  Analyze the function call DosPathNameToNtPathName at 0x003C12DA (in Figure 5).

Challenge 8  Analyze the function call zwOpenFile at 0x003C1331 (in Figure 5).

Challenge 9  Analyze the function call zwDuplicateObject at 0x003C1355 (in Figure 5). Where is the new object (duplicated object) stored?

Challenge 10  Analyze the function call zwDuplicateObject at 0x003C136e (in Figure 5). Which object is duplicated?

Challenge 11  Analyze the function call RtlCreateUserThread at 0x003C1390 (in Figure 6).

Challenge 12  Analyze the function call zwContextThread at 0x003C13B5 (in Figure 6). 

Challenge 13  Analyze the function call zwWriteVirtualMemory at 0x003C145F (in Figure 6). 


  1. Thanks man. I am looking for this kind of step by step introductory on such a complex subject. nicely start reading from you first post. keep posting...

    1. IEEE Final Year Project centers make amazing deep learning final year projects ideas for final year students Final Year Projects for CSE to training and develop their deep learning experience and talents.

      IEEE Final Year projects Project Centers in India are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation.

      corporate training in chennai corporate training in chennai

      corporate training companies in india corporate training companies in india

      corporate training companies in chennai corporate training companies in chennai

      I have read your blog its very attractive and impressive. I like it your blog. Digital Marketing Company in Chennai

  2. Hey, nice site you have here! Keep up the excellent work!

    Function Point Estimation Training

  3. QTP is flagship automation testing tool, which is used to perform functional and regression testing on a software application. Training on this automation will ensure lucrative career opportunity for aspiring professionals. Best QTP Training Institute In Chennai

  4. I have read your blog and i got a very useful and knowledgeable information from your blog.its really a very nice article. I did Loadrunner Training in Chennai. This is really useful for me. Suppose if anyone interested to learn Manual Testing Training in Chennai reach FITA academy located at Chennai Velachery.

  5. Your posts is really helpful for me.Thanks for your wonderful post. I am very happy to read your post.
    SEO Training in chennai|SEO Training chennai

  6. Nice article i was really impressed by seeing this article, it was very interesting and it is very useful for Learners..
    Cloud Computing Training in chennai | Cloud Computing Training chennai

  7. It helps the software developers and programmers to validate software application performance and behavior before deployment.Nice article.

    VMWare Training in chennai | VMWare Training chennai

  8. Thanks for your information. QTP provide most precise and independent review about a software application. This automation testing tool is ideal to determine the performance and validity of a software application. QTP training

  9. Really awesome blog. Thanks for sharing this informative blog. Currently I have completed Software Testing Training in Chennai at a reputed training institutes. If you are looking for best Software Testing Training Institutes in Chennai reach FITA located at Chennai, India.

  10. I have been following your posts regularly. It is very informative that I share it with my students.
    QTP Training Chennai

  11. Thanks for your wonderful post. I am very happy to read your post.

  12. This is really informative. Thanks for sharing this article

  13. Hello admin, thank you for your informative post on hadoop training in Chennai. It helped a lot in training my students during our hadoop training Chennai sessions. We at Fita, provide big data training in Chennai for students who are interested in choosing a career in big data.

  14. I have finally found a Worth able content to read. The way you have presented information here is quite impressive. I have bookmarked this page for future use. Thanks for sharing content like this once again. Keep sharing content like this.

    Software testing training in chennai | Software testing course | Software testing training chennai

  15. This comment has been removed by the author.

  16. It’s in reality a great and useful piece of information. I am happy that you simply shared this helpful info with us. Please keep us informed like this. Thank you for sharing.

    Shop Drawings Preparation
    Shop Drawings Preparation in USA

  17. Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work.
    Thanks & Regards,
    VRIT Professionals,
    No.1 Leading Web Designing Training Institute In Chennai.

    And also those who are looking for
    Web Designing Training Institute in Chennai
    SEO Training Institute in Chennai
    Photoshop Training Institute in Chennai
    PHP & Mysql Training Institute in Chennai
    Android Training Institute in Chennai


  18. บริการโชเฟอร์ของ ecocar มุ่งหมายที่จะบรรลุมาตรฐานสูงสุดเท่าที่จะเป็นได้ในการให้บริการผู้โดยสารทุกคน ไม่ว่าคุณจะเพิ่งก้าวออกจากสนามบิน LAX ในแคลิฟอร์เนียเพื่อติดต่อธุรกิจ หรือต้องการรถไปส่งที่สนามบินสุวรรณภูมิหลังจากการท่องเที่ยวพักผ่อนในประเทศไทย Blacklane จะนำคุณไปยังจุดหมายอย่างผ่อนคลายและพร้อมสำหรับการเดินทางด้วยบริการแท็กซี่รับส่งสนามบิน หรือหากคุณกำลังเดินทางจากสนามบินไปยังโรงแรมพร้อมกับครอบครัวหรือเพื่อน บิสซิเนสแวนของ Blacklane ก็พร้อมให้บริการผู้โดยสารสูงสุดถึงห้าคนพร้อมพื้นที่กว้างขวางสำหรับสัมภาระ หรือจะจ่ายเพิ่มอีกสักนิดสำหรับบริการเฟิร์สคลาสซึ่งเป็นสุดยอดของความสบายและสไตล์ เหมาะอย่างยิ่งสำหรับการเรียกใช้งานในโอกาสพิเศษ


  19. Thanks for sharing, very informative blog.

  20. We are usually available 24/7 and our cheap coursework writing service team can be contacted and also seek our annotated bibliography writing services at any time.

  21. Aran’s traditional milk is pure A2 milk, Nattu Kozhi Muttai Chennai, Organic Milk Chennai, A2 Milk Chennai, Cow Milk Chennai, Naatu Maatu Paal Chennai Chennai hand-milked in a traditional way from healthy native Indian breeds and reaches your doorstep.

    Milking Process
    The milking is done from indigenous cows by using hands. No machines are used in order to ensure no harm is done to the cows

    Packing Methods
    As soon as milking is done, the milk is filtered and packed in the FSSAI certified place with hairnets and gloves on this packing is done into the 50 microns wrappers which are not reactive to the food items. Again, no machines are used for packing to contribute to the environment, as they consume more water and power.

    Milk Delivery
    As soon as packing and quality check are done, the milk packets are collected and brought for delivery.

  22. This article is interesting, if you want to know more visit

    our website


  23. Hi there, I found your site via Google at the
    same time as looking for a comparable matter, your website came up, it
    seems to be good. I’ve bookmarked it in my google bookmarks.
    Here is the link of Artweaver Plus Free Download:
    It’s a complete painting tool with a huge collection of descriptive realistic brushes that allow you to paint and experiment creatively.